On Oct 6, 2019, at 8:10 PM, John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
What's wrong with MTS-STS defined in RFC 8461?
It's defined, it works, it's deployed at a lot of large mail systems.
Small correction. MTA-STS is defined and works a *small* number of
*very* large mail systems. There are best I can measure only a few
hundred domains covered by MTA-STS, but they include gmail.com, and
outlook.com (enforce) and yahoo.com (still testing).
By contrast DANE is defined and works for a very large number (~1.3
million) domains that are small to medium mail systems. These
include comcast.net, web.de, gmx.de, protonmail.ch, and some large
domain hosting providers.
Only some in-house certificate management automation appears to stand
between Google and DANE for SMTP, they already have DNSSEC-signed MX
that are live and listed jointly in the Google MX certificates with
the existing better known names. Once these have TLSA records, any
of the O(600k) signed domains that presently use Google's various
MX hosts could change their MX RRs to mx[1-4].smtp.goog, and have
DANE for their Google hosted domains.
I would not be surprised to see DANE for Google become available in
the next 12 months, but can only speculate, it could happen sooner,
or not at all...
ietf-smtp mailing list